La Computer Security Division (CSD) del NIST, National Institute of Standards and Technology, ha pubblicato il primo draft di SP-800-98, "Guidance for Securing Radio Frequency Identification – RFID" (pdf, 1.6 M). Il documento descrive i rischi di sicurezza a cui espone la tecnologia RFID e suggerisce le contromisure da adottare per mitigare tali rischi.
I commenti ed i suggerimenti per la release finale possono essere inviati a sp800-98 AT nist DOT gov usando il subject "Comments on Public Draft SP 800-98" entro il 27 ottobre 2006.

Indice del documento

• Executive Summary
• 1. Introduction
• 1.1 Authority
• 1.2 Purpose and Scope
• 1.3 Document Structure
• 2. RFID Technology
• 2.1 Automatic Identification and Data Capture (AIDC) Technology
• 2.2 RFID System Components
• 2.3 RF Subsystem
• 2.3.1 Tag Characteristics
• 2.3.2 Interrogator Characteristics
• 2.3.3 Tag-Interrogator Communication
• 2.4 Enterprise Subsystem
• 2.4.1 Middleware
• 2.4.2 Analytic Systems
• 2.4.3 Network Infrastructure
• 2.5 Inter-Enterprise Subsystem
• 2.5.1 Open System Networks
• 2.5.2 Object Naming Service (ONS)
• 2.5.3 Discovery Service
• 2.6 Summary
• 3. RFID Applications and Application Requirements
• 3.1 RFID Application Types
• 3.1.1 Asset Management
• 3.1.2 Tracking
• 3.1.3 Matching
• 3.1.4 Process Control
• 3.1.5 Access Control
• 3.1.6 Automated Payment
• 3.1.7 Supply Chain Management
• 3.2 RFID Information Characteristics
• 3.3 RFID Transaction Environment
• 3.3.1 Distance between Interrogator and Tag
• 3.3.2 Transaction Speed
• 3.3.3 Network Connectivity and Data Storage
• 3.4 The Tag Environment between Transactions
• 3.4.1 Data Collection Requirements
• 3.4.2 Human and Environmental Threats to Tag Integrity
• 3.5 RFID Economics
• 3.6 Summary
• 4. RFID Risks
• 4.1 Business Process Risk
• 4.2 Business Intelligence Risk
• 4.3 Privacy Risk
• 4.4 Externality Risk
• 4.4.1 Hazards of Electromagnetic Radiation
• 4.4.2 Computer Network Attacks
• 4.5 Summary
• 5. RFID Security Controls
• 5.1 Management Controls
• 5.1.1 RFID Usage Policy
• 5.1.2 IT Security Policies
• 5.1.3 Agreements with External Organizations
• 5.1.4 Minimizing Sensitive Data Stored on Tags
• 5.2 Operational Controls
• 5.2.1 Physical Access Control
• 5.2.2 Appropriate Placement of Tags and Interrogators
• 5.2.3 Secure Disposal of Tags
• 5.2.4 Operator and Administrator Training
• 5.2.5 Separation of Duties
• 5.2.6 Non-revealing Identifier Formats
• 5.3 Technical Controls
• 5.3.1 Tag Data Protection
• 5.3.2 RF Interface Protection
• 5.4 Summary
• 6. RFID Privacy Considerations
• 6.1 Privacy Principles
• 6.2 Federal Privacy Requirements for Federal Agencies
• 6.3 Applicable Privacy Controls
• 6.4 Embedding Privacy Controls
• 6.5 Summary
• 7. Recommended Practices
• 8. Case Studies
• 8.1 Case Study #1: Personnel and Asset Tracking in a Health Care Environment
• 8.1.1 Phase 1: Initiation
• 8.1.2 Phase 2: Acquisition/Development
• 8.1.3 Phase 3: Implementation
• 8.1.4 Phase 4: Operations/Maintenance
• 8.1.5 Phase 5: Disposition
• 8.1.6 Summary and Evaluation
• 8.2 Case Study #2: Supply Chain Management of Hazardous Materials
• 8.2.1 Phase 1: Initiation
• 8.2.2 Phase 2: Acquisition/Development
• 8.2.3 Phase 3: Implementation
• 8.2.4 Phase 4: Operations/Maintenance
• 8.2.5 Phase 5: Disposition
• 8.2.6 Summary and Evaluation

IsacaRoma link

• NIST: Guida ai Sistemi di Intrusion Detection e Prevention (IDP)

Chi è Manlio Torquato?

 Manlio si occupa di sicurezza informatica da tanti anni. È tra i fondatori dell'Associazione Nazionale Esperti di Sicurezza e Compliance (ANESC)
Per IsacaRoma Newsletter ha scritto:

• Dal vulnerability assessment al vulnerability management
• NIST: Guida ai Sistemi di Intrusion Detection e Prevention (IDP)
• La macchina del tempo – luglio 2004 
• L’Italia secondo il Critical Information Infrastructure Protection (CIIP) Handbook
• Letture sotto l’ombrellone per i Security Manager
• Phishing – attacco all’autenticazione a due fattori
• Zero day attack 

 Contatti?